Businesses in the legal sector are a potential goldmine for cyber criminals, with confidential client records offering rich pickings.
The kind of information that circulates daily in the industry – banking records, company accounting reports, address details, and insurance records – can be extremely valuable to cyber criminals. Identity theft, IP theft and bank fraud, just some of the hacker’s potential gains.
But what can law firms do to reduce the chances of a successful data breach?
Different people are susceptible to different forms of cyber attacks, and analysing this victimology can be vital in helping IT leaders in law firms reduce their cyber risk profile. By identifying the most prevalent risk factors, the psychological basis for these risks and the profile of the roles most affected by these law firms and Barristers' Chambers can determine the best methods for their IT to mitigate these risks in the legal sector.
Training the brain to tackle cyber risk
The emotional brain is stronger and quicker than the logical brain and this can cause people to make incorrect and rash decisions where cyber security is concerned. This is especially true in high pressure work environments. A combination of high standards and a heavy workload makes it easy for a tired brain to look for a quick fix in order to get onto the next task. Impulsive and emotional decisions are more common in this state and these can lead to a security breach.
Once law firms and Barristers' Chambers begin to take a modern, psychologically-minded approach to their cyber security, they’ll find an actual, tangible change in online behaviour. By accounting for this ‘human factor’ in cyber security - a combination of psychology and education – law firms can start to seal the cracks in their cyber defences and reduce the chances of succumbing to a data breach. Whether a firm wishes to prevent phishing, malware, password attacks or ransomware, employees can be a first line of defence.
A good cyber security strategy starts with people.
The National Cyber Security Centre found that even though 75% of respondents ran ongoing awareness programmes, only 15% exhibited the positive behaviours and heightened awareness the programme was designed to create.
It’s one thing to train staff; it’s quite another thing for staff to act on that training. Through awareness raising and training we are suggesting that the rational brain can be increasingly accessed to form a more effective mindset in tackling cyber risk. Organisations need their people to have a curious and questioning brain, but one that follows cyber security processes even when under internal or external pressures that ideal mix of the emotional and rational.
Ciaran Martin, CEO of the National Cyber Security Centre: “[Businesses need to] get serious about understanding the human being in all this… I think this is the most important shift in thinking over the past year or so, the wider recognition of the importance of the user... To get cyber security right, we need to connect those human factors to that Boardroom conversation.”
What doesn't work
- The tick box approach: taking a check box approach assumes that everything will be OK if firms comply with a set of rules or training standards.
- The training manual approach: overwhelming staff with technical information or giving staff unwieldy ‘training manuals’ is ineffective; simply reading facts doesn’t mean those facts will be acted on.
- The one-off training session approach: these painfully unengaging marathon sessions have little impact due to the required concentration for the training to be consumed.
- The “doom and gloom” approach: simply telling individuals how damaging a cyber attack could be won’t elicit changes in behaviour. It can increase the danger of ‘data breach fatigue’, which can be counter-productive in changing behaviour
What does work
- A behavioural approach: education needs to transform human psychology itself and fight against our instinctual human emotions – analogue instincts must be adapted for the digital age.
- A bite-size approach: it’s well documented within educational psychology that people digest more information in smaller, regular bites. þ An adaptive, individualised approach: different people learn in different ways so incorporate a variety of video, text and images to cater for the individual.
- A modern approach: embrace modern technology that enables training to be done at a time and place convenient for the individual.
- A verified approach: individuals should be tested to ensure they have retained information adequately and would be able to act on that information.
CyberAware powered by CybSafe - The future of cyber resilience training
Sprout IT's new cyber resilience training partner, CybSafe provides an intelligent approach to cyber resilience training that puts data at your fingertips and helps you measure, understand and reduce human cyber risk whilst improving cyber security awareness, behaviour and culture within your organisation. To speak with one of our team members about , please call us on 020 7036 8530 or contact us here.
To learn more about our cyber resilience service please check out our CyberAware Powered By CybSafe page.
About this post